A significant domain name system (DNS) flaw first spotted by Dan Kaminsky, IOActive director of penetration testing, is now out in the wild, and unfortunately for Internet users, it’s the kind of danger that isn’t easily seen.
Imagine you’re heading home from work, and you arrive at what appears to be your home.
So you use your keys, and you enter through the front door.
You take off your shoes, stretch, grab a drink from the refrigerator, and start paying bills. In this analogy, there’s no hacker lurking over your shoulder — the hacker is the house, a replica of your home, and you wouldn’t even realize you had walked into something entirely different. Every move could be captured and cataloged, and later they could be used to drain bank accounts, steal identities and tip hapless homeowners into foreclosure.
A bit of hyperbole?
Not so much.
Hackers can use the DNS flaw to redirect Web page requests to carefully crafted phishing sites by replacing legitimate addresses with nefarious addresses and in effect gain control over a domain — unless an Internet service provider or enterprise has installed a fix on its DNS servers.
Some reports indicate that about half of all DNS servers remain unfixed.
How’s the Sky Doing?
Upon discovering the flaw (a type of cache poisoning attack), Kaminsky tried to keep the problem quiet by working directly with major Internet solution providers, including Cisco, Microsoft and the Internet Systems Consortium (ISC) to create patches. The exact details of the flaw were to be seen only by the individuals working on a fix — Kaminsky reportedly planned to reveal more specifics about the exploit at the Black Hat conference in early August. However, details slipped out on the Web prematurely, and they’re now available on several sites — most notably Metasploit.
The presence of the DNS exploit in the wild has started a tsunami of scrambling administrators, lost productivity, and the potential for some real criminal damage around the world.
“I’m up to my eyeballs on this thing. It’s just unbelievable — it has hit the fan. DNS is getting totally poisoned and polluted around the world. Hackers are doing things nobody anticipated,” Mel Beckman, a California-based network security expert and system administrator for multiple name servers, told TechNewsWorld.
“Probably the most unanticipated thing is they are poisoning name servers to redirect mail from popular mailing services like Hotmail and others so the hackers can read the mail, and then send it onto its destination with nobody being the wiser. This is just unbelievably insidious. You don’t even know it has been intercepted. If you’re an e-mail technologist, you can tell by looking at the e-mail headers … but most won’t notice anything wrong,” he explained.
Hidden in Russia and China
“It’s been done with Hotmail, with Everyone.net, with Gmail, and it has nothing to do with the security of these mail providers because what the hackers are doing is poisoning the DNS so that it says, ‘Oh, Hotmail is not over here, it’s over here in Russia. And it gives an IP address for a Russian or Chinese mail server,” Beckman said.
“We’re seeing a lot of this from China — and within hours of this knucklehead releasing the exploit, the hacks started,” he added.
More Than Just Tape
“It’s a big deal to patch this problem — it’s an enormous undertaking. I’ve spent 100 hours this week dealing with this. Last night I got about three hours of sleep,” Beckman said.
“We got a lot of reports of DNS servers being down or turned off, because what would happen is that people were simply just turning their servers off rather than risk poisoning, which was the right thing to do,” he said.
Older Servers, Multiple Headaches
“Everyone says, ‘Patch your name servers’ as if it’s trivial, but it’s not trivial, because a lot of time the fix requires upgrading the operating system … and upgrading the operating system affects other things,” Beckman explained.
“Name servers tend to be the oldest servers running the oldest operating systems in an IT shop — that’s a mistake, but that’s what everybody does. Normally you’d take six months to do a migration like this, and we were given basically a few days,” he added.